CVE-2026-56354
Received Received - Intake

Stored XSS and Open Redirect in n8n Workflow Form Node

Vulnerability report for CVE-2026-56354, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

n8n before 1.123.24, 2.10.4, and 2.12.0 (across its 1.x and 2.x branches) contains cross-site scripting and open redirect vulnerabilities in the Form Node due to unsanitized HTML description fields and overly permissive iframe sandbox policies. Authenticated users with workflow creation permissions can inject malicious scripts or redirect parameters to perform stored XSS attacks or phishing redirects against end users.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
n8n n8n to 1.123.24 (exc)
n8n n8n From 2.10.4 (inc)
n8n n8n From 2.12.0 (inc)
n8n n8n to 1.123.24|end_excluding=2.10.4|end_excluding=2.12.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how the CVE-2026-56354 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-56354 is a vulnerability in the n8n workflow automation tool affecting versions before 1.123.24, 2.10.4, and 2.12.0. It involves cross-site scripting (XSS) and open redirect issues in the Form Node component.

The root cause is unsanitized HTML description fields and overly permissive iframe sandbox policies, which allow authenticated users with workflow creation permissions to inject malicious scripts or redirect parameters.

This enables stored XSS attacks or phishing redirects against other users interacting with the affected forms.

Impact Analysis

This vulnerability can be exploited by authenticated users who have workflow creation or modification permissions to inject malicious scripts or redirect users to arbitrary external URLs.

The impact includes the possibility of stored cross-site scripting attacks, which can execute malicious code in the context of other users, and phishing redirects that can lead users to fraudulent websites.

Such attacks can compromise user trust, lead to credential theft, or facilitate further exploitation of the system.

Detection Guidance

This vulnerability involves cross-site scripting (XSS) and open redirect issues in the Form Node of n8n due to unsanitized HTML description fields and permissive iframe sandbox policies. Detection typically requires reviewing the versions of n8n in use and inspecting workflow creation permissions and Form Node configurations.

Specifically, you can check the n8n version to see if it is before 1.123.24, 2.10.4, or 2.12.0, which are the patched versions.

While no explicit detection commands are provided, you can use commands to identify the n8n version running on your system, for example:

  • Check n8n version via CLI: `n8n --version`
  • Review running containers or processes for n8n version tags, e.g., `docker ps` and `docker inspect <container_id>` if using Docker.
  • Audit user permissions to identify users with workflow creation rights who could exploit the vulnerability.

To detect exploitation attempts, monitor logs for unusual script injections or redirects in Form Node workflows, although specific commands for this are not detailed in the provided resources.

Mitigation Strategies

Immediate mitigation steps include updating n8n to the patched versions 1.123.24, 2.10.4, or 2.12.0, which address the cross-site scripting and open redirect vulnerabilities in the Form Node.

If immediate updating is not possible, temporary mitigations include restricting workflow creation permissions to trusted users only.

Another temporary measure is to disable the Form and Form Trigger nodes via environment variables to prevent exploitation.

These steps reduce the risk of stored XSS attacks or phishing redirects by limiting the ability of attackers to inject malicious scripts or redirect parameters.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56354. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart